Dragonfly

Dragonfly Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. [1][2]

A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups. [3][4][5]

ID: G0035
Associated Groups: TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear
Version: 2.0
Created: 31 May 2017
Last Modified: 14 October 2020

Associated Group Descriptions

Name Description
TG-4192

[2]

Crouching Yeti

[2]

IRON LIBERTY

[2][6][7]

Energetic Bear

[1][2][6][7]

Techniques Used

Domain ID Name Use
Enterprise T1189 Drive-by Compromise

Dragonfly has has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.[2]

Enterprise T1566 Phishing

Dragonfly has used spearphising campaigns to gain access to victims.[2]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Dragonfly has placed trojanized installers on legitimate vendor app stores.[2]

Software

ID Name References Techniques
S0093 Backdoor.Oldrea [1] Account Discovery: Email Account, Archive Collected Data, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Credentials from Password Stores: Credentials from Web Browsers, Data Encoding: Standard Encoding, File and Directory Discovery, Indicator Removal on Host: File Deletion, Process Discovery, Process Injection, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0002 Mimikatz [2] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0029 PsExec [2] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0094 Trojan.Karagany [1][7] Application Layer Protocol: Web Protocols, Application Window Discovery, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Credentials from Password Stores: Credentials from Web Browsers, Data Staged: Local Data Staging, Encrypted Channel: Asymmetric Cryptography, File and Directory Discovery, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Input Capture: Keylogging, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Thread Execution Hijacking, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Virtualization/Sandbox Evasion: System Checks

References